Versions Compared

Old Version 35

changes.mady.by.user Daria Lebedeva

Saved on

compared with

New Version Current

changes.mady.by.user Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

AWS

Log index

Instruction

alb, elb

Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions)

aws-config

Enable AWS Config as described in AWS Documentation

Ensure that Cloudaware has been granted with the permission config:Des* (or config:DescribeDeliveryChannels as minimum)

billing

Ensure that your billing integration is set up according to Cloudaware AWS Billing Guide (your billing is consolidated under AWS account and S3 bucket where billing files are stored should be added to Cloudaware)

cloudfront

Enable logging as described in this external guide

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions)

cloudtrail

Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware)

eks-logs

Ensure Amazon EKS is enabled as described in AWS Documentation

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

aws-rds

Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:

  • for logs from CloudWatch: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

  • for logs from DB instance: rds:DescribeDBInstances, rds:DescribeDBLogFiles, rds:DownloadCompleteDBLogFile, rds:DownloadDBLogFilePortion

*These permissions are predefined in Cloudaware Conflux Collector policy.

lambda

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:ListTagsForResource and logs:GetLogEvents.
Cloudaware automatically discovers CloudWatch groups where Lambda logs are stored. If the search didn't bring results, tag the group(s) with log-source: lambda tag.

route53

Ensure that logging for DNS Queries is enabled as described in AWS Documentation

s3-access-logs*

Ensure that logging for S3 is enabled as described in AWS Documentation

vpc-flow-logs

Ensure

that logging for network interface of VPC is enabled

VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation

waf-logs

Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket (kinesis:DescribeStream and kinesis:ListStreams permissions should be in place,

 along

along with s3:ListBucket and s3:GetObject or logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents depending on the log destination)

* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list* and get* permissions:

Code Block
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

WHERE

<KEY_PLACEHOLDER> should bу replaced by a corresponding encryption key

<BUCKET_ID>should bу replaced by a corresponding bucket id

<REGION> should bу replaced by a corresponding bucket region

Azure

Log Index

Instruction

azure-activity

Ensure that the Reader role has been assigned to Cloudaware based on Cloudaware Azure Start

Guide

azure-billing

Ensure that your billing integration is set up according to Cloudaware Microsoft Azure Billing

Guide

azure-flowlogs

Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys (Microsoft.Storage/storageAccounts/listKeys/action permission)

Google Cloud

Log index

Instruction

google-audit-

Ensure that Cloud logging is enabled as described in Google Cloud Documentation

Host Level

Log index

Instruction

metricbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metribeat may generate a significant number of logs

winlogbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs

filebeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs

packetbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs

* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware

Okta

Log index

Instruction

log-okta-system-

Provide Cloudaware support with your Okta URL and token (you can generate a token using Okta documentation here)

OneLogin

Log index

Instruction

log-onelogin-

Contact Cloudaware to request the Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:

Code Block
Listener URL:  https://COMPANYNAME-conflux.cloudaware.com:XXXX
Custom Headers:
    conflux: Xxx1xxxx0xxxxxXXxX
Format:  JSON Array